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Abstract 

Pairwise key establishment is one of the fundamental se- 
curity services in sensor networks which enables sensor 
nodes in a sensor network to communicate securely with 
each other using cryptographic techniques. It is not feasi- 
ble to apply traditional public key management techniques 
in resource-constrained sensor nodes, and also because the 
sensor nodes are vulnerable to physical capture. In this pa- 
per, we introduce a new scheme called the identity based key 
pre-distribution using a pseudo random function (IBPRF), 
which has better trade-off between communication over- 
head, network connectivity and resilience against node cap- 
ture compared to the other key pre-distribution schemes. 
Our scheme can be easily adapted in mobile sensor net- 
works. This scheme supports the addition of new sensor 
nodes after the initial deployment and also works for any 
deployment topology. In addition, we propose an improved 
version of our scheme to support large sensor networks. 

1 Introduction 

In a sensor network, many tiny computing nodes called 
sensors, are scattered in an area for the purpose of sensing 
some data and transmitting the data to nearby base stations 
for further processing. The transmission between the sen- 
sors is done by short range radio communications. The base 
station is assumed to be computationally well-equipped 
whereas the sensor nodes are resource-starved. Such net- 
works are used in many applications including tracking of 
objects in an enemy's area for military purposes, distributed 
seismic measurements, pollution tracking, monitoring fire 
and nuclear power plants, tacking patients, engineering and 



medical explorations like wildlife monitoring, etc. Mostly 
for military purposes, data collected by sensor nodes need 
be encrypted before transmitting to neighboring nodes and 
base stations. 

The following issues make secure communication be- 
tween sensor networks different from usual (traditional) net- 
works: 

• Limited resources in sensor nodes: Each sensor node 
contains a primitive processor featuring very low com- 
puting speed and only small amount of programmable 
memory. An example is the popular Atmel ATmega 
128L processor 

• Limited life-time of sensor nodes: Each sensor node 
is battery-powered and is expected to operate for only 
few days. Therefore, once the deployed sensor nodes 
expire, it is necessary to add some fresh nodes for con- 
tinuing the data collection operation. This is referred 
to as the dynamic management of security objects (like 
keys). 

• Limited communication abilities of sensor nodes: Sen- 
sor nodes have the ability to communicate each other 
and the base stations by the short range wireless ra- 
dio transmission at low bandwidth and over small com- 
munication ranges (typical example is 30 meters (100 
feet)). 

• Lack of knowledge about deployment configuration: 
Most of cases, the post deployment network configu- 
ration is not known a priori. As a result, it is unreason- 
able to use security algorithms that have strong depen- 
dence on locations of sensor nodes in a sensor network. 



• Mobility of sensor nodes: Sensor nodes may be mo- 
bile or static. If sensor nodes are mobile then they can 
change the network configuration at any time. 

• Issue of node capture: A part of the network may be 
captured by the adversary/enemy. The resilience mea- 
surement against node capture is computed by compar- 
ing the number of nodes captured, with the fraction of 
total network communications that are exposed to the 
adversary not including the communications in which 
the compromised nodes are directly involved. 

Thus, it is not feasible to use public -key cryptosystems 
in resource constrained sensor networks. Hence, only the 
symmetric cipher such as DES/IDEA/RC5 fTT, TTl is the 
viable option for encryption/decryption of secret data. But 
setting up symmetric keys among communication nodes is 
a challenging task in a sensor network. A survey on sensor 
networks can be found in [2, JJ. 

The topology of sensor networks changes due to the fol- 
lowing three phases: 

• P re-deployment and deployment phase: Sensor nodes 
can be deployed from the truck or the plane in the sen- 
sor field. 

• Post-deployment phase: Topology can change after de- 
ployment because of irregularities in the sensor field 
like obstacles or due to jamming, noise, available en- 
ergy of the nodes, malfunctioning, etc., or due to the 
mobile sensor nodes in the network. 

• Redeployment of additional nodes phase: Additional 
sensor nodes can be redeployed at any time to replace 
the faulty or compromised sensor nodes. 

A protocol that establishes cryptographically secure 
communication links among the sensor nodes is called 
the bootstrapping protocol. Several methods 161 13] |8] |5] 
are already proposed in order to solve the bootstrapping 
problem. All these techniques are based on random deploy- 
ment models, that is, they do not use the pre-deployment 
knowledge of the deployed sensor nodes. Eschenauer and 
Gligor |6| proposed the basic random key predistribution 
called the EG scheme, in which each sensor is assigned a 
set of keys randomly selected from a big key pool of the 
keys of the sensor nodes. Chan et al. |3| proposed the 
g-composite key predistribution and the random pairwise 
keys schemes. For both the EG and the g-composite 
schemes, if a small number of sensors are compromised, it 
may reveal to compromise a large fraction of pairwise keys 
shared between non-compromised sensors. However, the 
random pairwise keys predistribution is perfectly secure 
against node captures, but there is a problem in supporting 
the large network. Liu and Ning's polynomial-pool based 



key predistribution scheme ||8] and the matrix-based key 
predistribution proposed by Du et al. [4] improve security 
considerably. Liu and Ning 1 10| proposed the extended ver- 
sion of the closest pairwise keys scheme |9 1 for static sensor 
networks. Their scheme is based on the pre-deployment 
locations of the deployed sensor nodes and a pseudo 
random function (PRE) proposed by Goldreich et al. Q. 
There is no communication overhead for establishing direct 
pairwise keys between neighbor nodes and the scheme is 
perfectly secure against node capture. 

The rest of the paper is organized as follows. Section 2 
describes our proposed scheme called the identity based key 
predistribution using a pseudo random function (IBPRF). In 
Section 3, we provide a theoretical analysis for this scheme. 
In Section 4, we discuss the security issues with respect to 
our scheme. In Section 5, we provide an improved version 
of our scheme for distributed sensor networks. In Section 6, 
we compare our scheme with the previous schemes |]6]|3]|8] 
with respect to communication overhead, network connec- 
tivity, and resilience against node captures. Finally, Section 
7 concludes the paper. 

2 Identity Based Key Pre- 
Distribution using a Pseudo Ran- 
dom Function (IBPRF) 

The bootstrapping protocol for the random key predistribu- 
tion schemes ||6l [3] [8] incurs much more communication 
overhead for establishing direct pairwise keys between 
sensor nodes in a sensor network. Our goal is to design a 
protocol which basically reduces the communication over- 
head for establishing direct pairwise keys between sensors 
during direct key establishment phase of the bootstrapping . 
We propose a new scheme called the identity based key 
predistribution using a pseudo random function (IBPRF), 
which serves our above desired purpose. 

IBPRF has the following interesting properties: 

• There is no communication overhead during direct key 
establishment phase for establishing direct pairwise 
keys between sensors. 

• There is no communication overhead during the addi- 
tion of new sensor nodes. 

• When the sensor nodes are mobile, our scheme easily 
establish direct pairwise keys between the mobile sen- 
sor nodes and their physical neighbors with which they 
do not share keys currently with some desired proba- 
bihty. 



• It works for any deployment topology. 
IBPRF is based on the following two ingredients: 

• A pseudo random function (PRF) proposed by Goldre- 
ich et al. in 1986 Q. 

• A master key (MK) shared between each sensor node 
and the key setup server. 

The different phases for this scheme are as follows. 



2.1 Key Pre-Distribution 

Let be a pool of the ids of n sensor nodes in a sensor net- 
work. Assume that each sensor node u is capable of holding 
a total of TO + 1 cryptographic keys in its key ring K^- The 
key predistribution has the following steps: 

• Step-1: For each sensor node u, the key setup server 
randomly generates a master-key MKu- 

• Step-2: For each sensor node u, the key setup server 
selects a set S of to randomly generated ids of sen- 
sor nodes from the pool N which are considered 
as the probable physical neighbors' ids. Let S = 
{wi, W2, • ■ • , Wm}- For each node id Vi ^ S [i = 
1,2,..., to), the key setup server generates a symmet- 
ric key SKu.vi = PRF mk^. {u) as the pairwise key 
shared between the nodes u and Vi, where MKy. is 
the master key for Vi and u is the id of the node u. 

For each Vi E S, the key-plus-id combination 
{SKu,vi Stored in u's key ring Ku- We note that each 

node Vi can easily compute the same key SK^.Vi with its 
master key and the id of node u. The sensor node v is called 
a master sensor node of u if the shared key between them is 
calculated by SKu.v — PRF mk^X''^)- In other words, node 
u is called a slave sensor node of w if w is a master sensor 
node of u. 

2.2 Direct Key Establishment 

After deployment of sensor nodes in a deployment area (i.e., 
target field), sensor nodes will establish direct pairwise keys 
between them. Direct key establishment phase has the fol- 
lowing steps: 

• Step-1: Each sensor node first locates its all physical 
neighbors. Nodes u and v are called physical neigh- 
bors if they are within the communication range of 
one another They are called key neighbors if they 
share a pairwise key. They are said to be direct neigh- 
bors if they are both physical as well as key neigh- 
bors. Now, after identifying the physical neighbors 



by a sensor node u, it can easily verify which ids 
of the physical neighbors exist in its key ring K^- 
If u finds that it has the predistributed pairwise key 
SKu,v — PRF MK^ {u) with node v then it informs 
sensor v that it has such a key. This notification is done 
by sending a short message containing the id of node u 
that u has such a key. We note that this message never 
contains the exact value of the key SKu.v 

• Step-2: Upon receiving such a message by node v, it 
can easily calculate the shared pairwise key SKu.v — 
PRF MK^ {u) by using its own master key and the id 
of node u. 

Thus, nodes u and v can establish a direct pairwise key 
shared between them very easily and use this key for their 
future communication. 

2.3 Path Key Establishment 

This is an optional stage, if requires, adds the connectiv- 
ity of the network. After direct key establishment, if the 
connectivity is still poor, nodes u and v which are physical 
neighbors not sharing a pairwise key, can establish a direct 
key between them as follows. 

• Step-1: u first finds a path {u = 

uq,ui,U2, ■ ■ ■ ,Uh-i,Uh = v) such that each 
(ui, Ui+i) (i = 0, 1, 2, . . . , ft, — 1) is a secure link. 

• Step-2: u generates a random number k' as the shared 
pairwise key between u and v and encrypts it using the 
shared key SKu.ui and sends to node ui. 

• Step-3: ui retrieves k' by decrypting the encrypted 
key using SKu,ui and encrypts it using the shared key 
SKu^,u2 between ui and U2 and sends to U2- 

• Step-4: This process is continued until the key k' 
reaches to the desired destination node v. 

As a result, nodes u and v use k' as the direct pairwise key 
shared between them for future communication. Since this 
process involves more communication overhead to establish 
a pairwise key between nodes, in practice /i = 2 or 3 is 
recommended. 

2.4 Mobility of Sensor Nodes 

Suppose that a sensor node u moves from one location to 
another Due to location updation of u, the connectivity 
of u with the new neighbors may also change. In the 
new location, assume that u finds the ids of its some new 
physical neighbors with which it does not currently share 
any keys. If v be one such physical neighbor, u informs to 
V that it has a pairwise key with v. This notification takes 



place by sending a request message to v containing the 
id of sensor node u excluding the exact value of the key. 
Upon receiving this message, v can immediately compute 
the pairwise key shared between them by executing one 
efficient PRF operation and by using the master key MKy 
for V and the id of sensor node u. Thus, u and v use this 
key for their future communication. 

After performing this stage, if sensor node u finds still 
poor connectivity, it may opt for at most 1 -hop path key es- 
tablishment because path key establishment involves more 
communication overhead. Of course we assume that mobil- 
ity of sensor nodes are infrequent. 

2.5 Addition of Sensor Nodes 

In order to add a new sensor node u, the key setup server 
selects a set 5 of to randomly generated ids of sensor 
nodes from the pool N. The key setup server randomly 
generates a master key MK^ for node u. For each sensor 
node id V ^ S, the key setup server takes the master key 
MKy and compute the secret key SK^.v = PRF mk^ (u) 
as the shared pairwise key between nodes u and v, and 
distributes the key -plus-id combination {SKu,v,v) to u. 
After deployment of sensor node u, it establishes direct 
pairwise keys using direct key establishment phase of 
IBPRF with the physical neighbors for which the ids are in 
m's key ring K^- 

Now, if u finds still poor connectivity after direct key 
establishment, it can perform path key establishment stage 
with 2 or 3 hops. 



3 Analysis 

In this section, we shall now compute the probability of es- 
tablishing direct keys between two sensor nodes during di- 
rect key establishment, and the probability of establishing 
a pairwise key between two sensor nodes during path key 
establishment. We shall also analyze the storage overhead 
and the communication overhead required by our scheme. 

3.1 Probability of Establishing Direct Keys 

Let p be the probability that two physical neighbors can 
establish a direct pairwise key. For the derivation of p, 
we first observe that two physical neighbors u and v can 
establish a pairwise key only if the key ring Ku of node 
u contains the shared secret key SKu,v = PRFmk^ (u) 
and the id of node v, or the key ring of node v contains 
the shared secret key SKy^u = PRF mk^W) and the id of 
node u because of the fact that any of nodes u and v can 



initiate for establishing a pairwise key between them. 

We then have, p = 1— (probability that both u and v do 
not establish a pairwise key). The total number of ways to 



select TO ids from the pool N of size n is 



For a 



fixed key ring of node u, the total number of ways to 
select Ky of a node v such that Ky does not have the id of 

n-1 



u IS 



Thus, we have 
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We note that p strictly depends on the network size n and 
the key ring size. 
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Figure 1: The probability p that two sensors establish a 
direct pairwise key v.s. the network size n, with m — 
100,150,200. 

It is clear from Figure 1 that when the network size is small, 
our scheme provides better connectivity. Therefore, our 
scheme can not support a large network. In section 5, we 
have proposed an improved version of our scheme to sup- 
port large networks. 

3.2 Probability of Establishing Keys using 1- 
hop Path Key Establishment 

If d be the average number of neighbor nodes that each sen- 
sor node can contact, it follows from the similar analysis 
in (SJ that the probability of two sensor nodes establishing 
a pairwise key (directly or indirectly) is 

Ps^i-{i-p){i-pY. 



(2) 



The network connectivity probabilities for path key es- 
tablishment with 1-hop are plotted in Figure 2. From this 




-« I • • • 1 

g 1 1.5 2 2.5 3 

number of hops (h) 

Figure 2: The probability ps of establishing a pairwise key 
v.s. the probability p that two sensor nodes establish a direct 
pairwise key, with d = 20, 60, 100. 

figure it is also clear that we are able to achieve better con- 
nectivity after executing this stage even if the network is 
almost disconnected initially. 

3.3 Calculation of Storage Overhead 

Each sensor node has to store a master key which is shared 
with the key setup server and m predistributed key-plus-id 
combinations. Hence, our scheme requires a storage over- 
head of maximum m + 1 keys for each sensor node. 

3.4 Calculation of Communication Overhead 

For establishing a pairwise key between two sensor nodes 
u and V, one of them, say u, initiates a request message to 
node V that its key ring contains the shared key between 
them. Then, after receiving such a request, node v com- 
putes the shared key between u and v by performing only 
one efficient PRF operation. Hence, the communication 
overhead involves only one short message for informing the 
other node that it has a pairwise key and the computational 
overhead due to single efficient PRF operation. 

4 Security Considerations 

The security of IBPRF depends on the following facts: 

• The security of PRF [|7j . 

• A node's master key MK which is shared with the key 
setup server 

It is observed that if a node's master key is not disclosed, 
no matter how many pairwise keys generated by this master 
key are disclosed, the task is still computationally difficult 



for an adversary to recover the master key MK as well as the 
non-disclosed pairwise keys generated with different ids of 
sensor nodes. Again, each pre-distributed pairwise key be- 
tween two sensor nodes is generated by using PRF func- 
tion randomly. Thus, no matter how many sensor nodes 
are compromised, the direct pairwise keys between non- 
compromised nodes are still secure. In other word, node 
compromise does not eventually lead to compromise of the 
direct pairwise keys between the other non-compromised 
nodes. In this way, our scheme provides perfect security 
against node captures. 

5 The Improved Scheme 

We note that our basic scheme (IBPRF) provides better 
connectivity if the network size is small, whereas it pro- 
vides perfect security against node captures. In fact, there 
is no communication overhead during establishment of the 
direct pairwise keys between sensors and also during the 
addition of nodes after their initial deployment. 

To support a large sensor network, we wish to apply 
our basic scheme in distributed sensor networks. The 
deployment region is divided into c number of sub-regions 
called the cells such that each cell can communicate with 
the base stations comfortably. Let the i-th cell be denoted 
by celli. Assume that each celk contains rii number of 
sensor nodes. In practical situation, it is not always possible 
to deploy each node to a pre-determined location in the 
deployment region. We further assume that the key setup 
server only knows the nodes containing to a particular cell 
which will be deployed in that region randomly. In practice, 
this assumption is appropriate. Under this configuration, 
we now apply our basic scheme to each cell as follows. 

Let Ni be the pool of the ids of Ui sensor nodes in a 
cell celli. Assume that each sensor node u is capable 
of holding a total of rn + 1 cryptographic keys. In key 
pre-distribution phase, for each node u £ celk, the key 
setup server randomly generates a master key MKu ■ For 
each node u e celU, the key setup server also selects a set 
5 of TO randomly generated ids of the sensor nodes from the 
pool Ni. For each v d S, the key setup server generates a 
symmetric key SKu,v = PRF mk^ (m) as the pairwise key 
shared between nodes u and v, where MK^ is the master 
key for node v and u is the id for node u. The key-plus-id 
combination {SKu.v,v) is stored in it's key ring Ku. 
After deployment of the sensor nodes, they establish direct 
pairwise keys using direct key establishment phase of our 
basic scheme (IBPRF). The other phases like path key 
establishment, mobility of sensor nodes, and addition of 
sensor nodes remain same as our basic scheme. 



Thus, sensor nodes in each cell establish pairwise 
keys between them and communicate with each other 
in that cell securely. For mobility of the sensor nodes, 
we restrict the sensor nodes to move in a particular cell only. 

Let Pi denote the probability that two sensor nodes in the 
i-th cell celli can establish a direct pairwise key between 
them. Similar to analysis in 3.1, we have 
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The (average) probability that two sensor nodes in a net- 
work of size n — J2'i=i^i' establish a direct pairwise key 
between them is given by 



P 



(4) 



Hence, we are able to achieve better connectivity for the 
entire network by using our improved version and selecting 
the appropriate size of the cells. However, the communi- 
cation overhead as well as resilience measurement against 
node captures remain same as our basic scheme (IBPRF). 
We note that this improved scheme may not always work 
for ad hoc mode sensor networks. 



6 Comparison 
Schemes 
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Previous 



In this section, we compare both our basic scheme (IBPRF) 
and the improved scheme with the EG |6 |, the g-composite 
(qC) |3|, and the polynomial-pool based |8| schemes 
with respect to the communication overhead, network 
connectivity and resilience against node captures. 

(1) Communication overhead 

For the EG and the g-composite schemes, when a node 
wishes to establish pairwise keys with its physical neighbor 
nodes, it needs to send a list of some messages encrypted 
by keys in its key ring. 

In case of the polynomial -pool based scheme, a sensor 
node also needs to send a list of some messages encrypted 
by potential pairwise keys based on its polynomial shares 
for establishing a direct pairwise key with a physical 
neighbor. 

Thus, the communication overhead is on the order of the 
key ring size for these schemes. But, for our schemes, the 
communication overhead is only due to one short message 
sent by a node to inform its physical neighbor that it has 



a pairwise key in its key ring and a single efficient FRF 
operation for computing the shared key SK by the physical 
neighbor Hence, both our basic scheme (IBPRF) and the 
improved scheme have much less communication overhead 
than the EG, the g-composite, and the polynomial-pool 
based schemes. 

(2) Resilience against node capture 

From the analysis of the EG scheme l&l and the q- 
composite scheme [3], it follows that even if the number of 
nodes captured is small, these schemes may reveal a large 
fraction of pairwise keys shared between non-compromised 
sensors. The analysis of the polynomial-pool based 
scheme |f8l shows that this scheme is unconditionally se- 
cure and i-collusion resistant. Thus, it has better resilience 
against node captures than the EG and the g-composite 
schemes. However, both our basic scheme (IBPRF) and 
the improved scheme provide perfect security against node 
captures. 

(3) Network connectivity 

For the EG scheme |6|, the probability of establishing a 
direct pairwise key between two sensor nodes is 
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where M and m are the key pool size and key ring size of a 
sensor node. 

For the g-composite scheme f3l, the probability of estab- 
lishing a direct pairwise key between two sensor nodes is 
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where pi 
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the key pool size and m is the key ring size of a sensor node. 

For the polynomial-pool based scheme fSl, the probabil- 
ity of establishing a direct pairwise key between two sensor 
nodes is 
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where s is the polynomial-pool size and s' is the number 
of shares given to a sensor node. Thus, we see that the EG 



and the g-composite schemes depend on M and m. The 
polynomial-pool based scheme depends on s and s' and 
the maximum supported network size is bounded by -^^^r^, 
where t is the degree of the symmetric bivariate polynomial, 
whereas our scheme depends on the network size n and the 
key ring size m. 
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Figure 3: The probability p of establishing a common key 
v.s. the maximum supported network size n in order to be 
resilient against node compromise. Assume that each sensor 
node is capable of holding 200 keys. 

For comparison of network connectivity, we only con- 
sider the polynomial-pool based scheme because it is more 
resilient against node compromise than the EG scheme and 
the g-composite scheme. However, both the EG scheme and 
the g-composite scheme support networks of arbitarily big 
sizes. The relationship between the probability of establish- 
ing direct keys and the maximum supported network size 
for the polynomial-pool based scheme and our basic scheme 
(IBPRF) is shown in Figure 3. We assume that each sensor 
is capable of storing 200 keys in its key ring. From this 
figure, it is very clear that our scheme provides better con- 
nectivity than the polynomial-pool based scheme in order to 
be resilient against node compromise. 

7 Conclusion 

Our basic scheme (IBPRF) is an alternative to direct key 
establishment of the bootstrapping protocol. Both IBPRF 
and the improved scheme guarantee that they have better 
trade-off between communication overhead, network con- 
nectivity and also resilience against node captures compared 
to the EG, the g-composite, and the polynomial-pool based 
schemes. Both schemes can also be adapted for mobile sen- 
sor networks by initiating direct key establishment phase 
and one can achieve reasonable connectivity by applying 
these schemes. 
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